@George1421 is on track by focusing on the MAC address. The MAC OID can help to narrow down the device type. You didn't specify the type of offending device (computer, printer, etc), but some traffic analysis should help there.

If it's your network (you should have permission to capture network traffic), use wireshark and coloring rules for interesting traffic and focus on the rogue MAC.

Learn how to use wireshark from the book, Wireshark Network Analysis, and check out chapter 26 for WLAN focus.

I personally feel that MAC address filtering isn't worth the effort. It's trivial to change a MAC address. But the lazy or ignorant (not stupid, just less informed) rogue will just use their same MAC.

Keep unauthorized clients off your WLAN by using WPA2 and a long pass phrase and changing the shared key frequently, which is a pain if you have high turn-over, or use some sort of Network Access Control, e.g. 802.1x.

13 Replies

This may be difficult. Are you saying that you have someone connecting to your wireless network who is unauthorized?

If you know what AP they are connecting to you an use wireshark on a mirrored ethernet port on the same switch where the AP is. This may give you some insight on what they are doing. Also check DHCP, if the ip address is assigned from dhcp then the name of the device should be listed. If you know the mac address, the first 6 characters of the mac address is the mfg who made the device. This may give you some indication of what device this is. If it comes down to it, just setup MAC filters on your AP and block all but known MAC devices, and then change your password on the WPA security.

@George1421 is on track by focusing on the MAC address. The MAC OID can help to narrow down the device type. You didn't specify the type of offending device (computer, printer, etc), but some traffic analysis should help there.

If it's your network (you should have permission to capture network traffic), use wireshark and coloring rules for interesting traffic and focus on the rogue MAC.

Learn how to use wireshark from the book, Wireshark Network Analysis, and check out chapter 26 for WLAN focus.

I personally feel that MAC address filtering isn't worth the effort. It's trivial to change a MAC address. But the lazy or ignorant (not stupid, just less informed) rogue will just use their same MAC.

Keep unauthorized clients off your WLAN by using WPA2 and a long pass phrase and changing the shared key frequently, which is a pain if you have high turn-over, or use some sort of Network Access Control, e.g. 802.1x.

Thanks guys. This is a particular case where we have two WLANs setup, one for guests and one for staff. The guest WLAN does not have a route to our data LAN, so it is separated off. However, there is this one client that has been signed on for a while and has so far used 242+mb of bandwidth.

Now this client is probably not an intrusion, but rather an associate using their smart phone to browse on WIFI from our guest WLAN (which is not filtered by websense). However, this is against our company policy, so that is why I am trying to track it down.

I'll be looking up the MAC to determine the manufacturer, but I was hoping there was some app out there I could use to triangulate the position of the device using my access points or something.

Not judging here but having an open guest lan might open your company up for legal action. Any activity on this guest lan will be tracked back to your company. You need to secure this before you have homeland security on your door. You have websense in place for a reason, you also have the guest wifi in place for a reason. Make sure what is going on is truly in the best interest for your company.

Another thought, what ever is going on there is consuming your bandwidth taking away from your comapany's productivity. So far you say that this person has consumed 242MB of bandwidth, depending on the span of time, this is a lot for a cell phone.

@bytesnagger mac filtering is trivial, but it is the first layer in the defense in keeping the bad guys out. It does have value in that it keeps the casual user from accessing your infrastructure. You MUST have additional layers of protection to secure your wifi as you mentioned.

One method I've used in the past to secure guest vlan (including a WEP password, yes I know WEP is... but it is for the guests so I don't care) is to put a captive portal server on the guest lan. Guest users were required to read our AUP and provide a valid user ID and password to get access to the intenet. That way we were assured that we know who was using our networks. And they understand the policy that they must follow when they used our networks.

Well the WLAN itself is off a Cisco AP, and it is WPA + WPA2 PSK protected. So it is definately not wide open. Our guests still need to get the passphrase from IT. I think an associate got ahold of the passphrase. For all I know, it could be the president of our company on his iPhone - so I don't want to outright block it until I can figure out who's it is.

I was just hoping to find a way that had a little more finess, rather than blocking it outright.

Well the WLAN itself is off a Cisco AP, and it is WPA + WPA2 PSK protected. So it is definately not wide open. Our guests still need to get the passphrase from IT. I think an associate got ahold of the passphrase. For all I know, it could be the president of our company on his iPhone - so I don't want to outright block it until I can figure out who's it is.

I was just hoping to find a way that had a little more finess, rather than blocking it outright.

I'll be looking up the MAC to determine the manufacturer, but I was hoping there was some app out there I could use to triangulate the position of the device using my access points or something.

Only if you are living in a movie...

The Yellowjacket® B/A/N/G Wi-Fi Analyzer is sweet looking and so is that gadget she's holding onto. I've used external directional antenna's in the past to isolate a source's location. I still have several home-made Cantenna's, a fun project to build and learn about wireless technology.

The captive portal is a great recommendation from George1421 and a solution that I've implemented on many occasions using m0n0wall,pfSense and even the free Untangle Lite version. These systems can run headless once they're configured. I've attached a sample Portal page that includes an AUP that can be used as a template.